lighttpd uses file extensions to determine which elements are programs that should be executed and which are static pages that should be sent as-is. By appending %00 to the filename, you can evade the extension detection mechanism while still accessing the file.

Impact

A remote attacker could send specific queries and access the source of scripts that should have been executed as CGI or FastCGI applications.